For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Al_Faller_1969's avatar
Al_Faller_1969
Icon for Nimbostratus rankNimbostratus
Mar 16, 2011

Timeouts for LDAP with NPath Routing

Hi All,

 

 

I'm attempting to use NPath Routing for a pool of LDAP Servers. I've got it working great, except for an issue with what I'm assuming is an idle timeout. SOme of the LDAP clients (I have no control over them) try to keep a persisant connection to the LDAP server and at some point, the connection is being severed. I'm guessing its the idle timeout on the NPath L4 profile I have? Its currently set at the default of 300 sec. I was considering setting it to slightly over 2 hours, so the keepalive ping from the server (which I believe is 2 hours for linux) would keep any persisent connections open. Do you think this is the cause? DO you think changing the idle timeout would help?

 

 

How can I keep an eye on these persisent connections to make sure they don't accumulate too fast?

 

 

Thanks in advance!

 

 

Al
config
design

6 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 16, 2011
    Hi Al,

     

     

    I don't see any issues with extending the FastL4 profile idle timeout. You can check the 'b conn' output for the number of connection table entries. Note that b conn will only return 7037 connections:

     

     

    sol6573: The bigpipe conn command displays a maximum of 7,037 connections

     

    http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6573.html

     

     

    Aaron
  • Al_Faller_1969's avatar
    Al_Faller_1969
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2011
    Hi Aaron,

     

     

    Thanks for your input. I made the change and it has definitely improved things. I have found no negative effects either.

     

     

    Regards,

     

     

    Al

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Mar 18, 2011
    FWIW I used to run a quite large LDAP directory behind F5 LTM's. It isn't uncommon for apps to leave idle connections for many hours and then expect them to be up and running instantly still... 2 hours may be too short.

     

     

    However there is a chance that either the client or the server will be specifying SO_KEEPALIVE on the sockets. If so, then setting the tcp keep interval to something reasonably short (Defined as about 2/3's of the minimum idle timeout value of all the devices in the solution) will mean that the IP stack itself will send keepalives (Basically it'll send ACK packets now and again so the endpoint, and any firewall/stateful devices in the path know the endpoints havent 'gone away').

     

     

    H
  • coda6_52611's avatar
    coda6_52611
    Icon for Nimbostratus rankNimbostratus
    Dec 21, 2011
    I am trying to design a solution for npath routing and AD LDAP services, are your pool members all on the same subent, or are they on different subnets? The articles I found on the KB only give examples for a single subnet.

     

     

    Thanks,

     

     

    Ken
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 21, 2011
    are your pool members all on the same subent, or are they on different subnets?if i am not wrong, since destination address is not translated, pool member must be in the same subnet as bigip (connected subnet).
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Dec 22, 2011
    That's certainly the easiest... But if something else looked after routing the packet internally to the correct backend, it'd still work... For example you might have two backends reachable via two different routers. As long as the LTM routed them via the separate routers, and the routers passed the packets onto the backends, it'd still work.

     

     

    Be horrendously complicated though...

     

     

    H